DNS-based Countermeasure Technologies for Spam … victim PC Hard Disk Drive. To converts FQDNs into...

2nd DNS-OARC Workshop Redmond, WA 2006 - 1 - Copyright (c) Yasuo Musashi, 2006, All Rights Reserved

DNS-based Countermeasure Technologies for Spam Bot Worm-infected PC terminals

in the Campus Network

Dennis A. Ludeña R.†† and Hirofumi Nagatomi††

††Graduate School of Science and TechnologyKumamoto University, 860-8555, JAPANE-mail: {dennis}@st.cs.kumamoto-u.ac.jp

Phone +81-96-342-3013

†Centre of Multimedia and Information TechnologiesKumamoto University 860-8555 JAPANE-mail:[email protected]

Phone +81-96-342-3915 Fax +81-96-342-3829

Yasuo Musashi,† Ryuichi Matsuba,† and Kenichi Sugitani†


Typical Functions of Bot Worm-infected PCs

● Transmitting of the unsolicited E-mails

● A distributed denial of service (DDoS) attack

● Self-Propagation or Launching the other internet worms

● Spying or disclosure a secret (Information Leakage)


Help!

Help!

A Spam Bot as an SMTP proxy

Spam Bot

Spam BotNormal PC

Phishing

Controller

Spam Bot

Mass Mailing

The next victim PC

The next victim PC

Bot ClusteringNetwork

Spam


A Distributed DoS (DDoS) Cyber Attack

DDoS Bot

DDoS Bot

Controller

DDoS Bot


Normal PC

Web Server

DNS Server


Bot Propagation/Launching New Internet Worm

Worm Bot

Worm Bot

Controller

Worm Bot


Normal PC


Information Leakage

Spy Bot

Spy Bot

Controller

Spy Bot


Disclosure

Spy/Information Theft


We need Countermeasures against the Bot Worm

OK!

FW

JACN10 Iwate, JAPAN


Countermeasures for Today






Conventional Detection Technologies

● Direct Observation/Analysis of the traffic packets

For instance:E-mail exchange SMTP packetsWeb access HTTP packets

● Week points

(1) Ciphered/Encrypted Data is hardly to decode i.e. to hardly find out the security incidents in the encrypted data (2) Privacy Disclosure

Direct observation of the network traffic always includes much privacy related information.


Why do we observe DNS Query Packets? (Low Privacy)

● A resource record (RR) type: a fully qualified domain name (FQDN) into the IP address(es)● PTR RR type: an IP address into the FQDN● MX RR: a generic domain name (DN) into the FQDN of an E-mail server

http://www.cc.kumamoto-u.ac.jp/http://host.domainname/

http://FQDN/

[email protected]@domainname

account@DN

http://www.DN/

smtp://nyx.cc.kumamoto-u.ac.jp/smtp://host.domainname/smtp://mail.DN/

disk

Mar 17 23:45:22 cupid postfix/smtpd[10877]: connect from aaa.sub.kumamoto-u.ac.jp[133.95.x.y]Mar 17 23:45:22 cupid postfix/smtpd[10877]: 1487B9D5: client=aaa.sub.kumamoto-u.ac.jp[133.95.x.y]Mar 17 23:45:26 cupid postfix/cleanup[10879]: 1487B9D5: message-id=<2004031*****2.1487B9D5@¥sub.kumamoto-u.ac.jp>Mar 17 23:45:26 cupid postfix/smtpd[10877]: disconnect from aaa.sub.kumamoto-u.ac.jp[133.95.x.y]Mar 17 23:45:26 cupid postfix/qmgr[627]: 1487B9D5: from=<[email protected]>, size=640,¥nrcpt=1 (queue active)

Mar 17 23:45:26 cupid postfix/smtp[10880]: 1487B9D5: to=<[email protected]>, relay=mail.sub.kumamoto-u.ac.jp[133.95.zzz.yyy], delay=4, status=sent (250 Ok: queued as ¥D48F4C6D4A)

133.95.21.16


Why do we observing DNS Query Packets

DNS Server

Web Server

http://www.cc.kumamoto-u.ac.jp/

HTTP TCP packets

DNS query UDP packetDNS query UDP packet

Logging HostName of WebClients

133.95.21.16

192.168.1.2

192.168.1.2=pcx.aaa.jpwww.cc.kumamoto-u.ac.jp 133.95.21.16The A (standard) resource record (RR) type DNS query packet transferred to the DNS server

192.168.1.2 pcx.aaa.jpThe PTR (pointer) RR type DNS query packet transferred to the DNS server


Why do we observing DNS Query Packets

DNS Server

E-Mail Server(SMTP engine)

SMTP TCP packets

Logging HostName of SMTPClients

133.95.46.100

192.168.1.2=pcx.aaa.jp

nyx.cc.kumamoto-u.ac.jp

133.95.46.100

The MX (Mail eXchange RR type DNS query packet transferred to the DNS server

pcx.aaa.jp

The A (Standard) RR type DNS query packet transferred to the DNS server

Logging HostName of SMTPClients

SMTP TCP packets

cc.kumamoto-u.ac.jp

nyx.cc.kumamoto-u.ac.jp

1 SMTP = 1 MX + 1A 1 E-mail = 1 MX + 1A + 1PTR + 1A for seding

1 E-mail = 1PTR + 1A for receiving


At 29.03.2004, we reported that…

SMTP engine

SMTP packets

DNS server

E-mail with an attachmentVictim PC (Zombie)

The next victim PC

MX RR based DNS Query Packets

To know FQDNs of the harvested DN from the victim PC Hard Disk Drive.

To converts FQDNs into IP addresses.

A RR based DNS Query Packets

1 E-mail = 1 MX + 1A + 1PTR + 1A for seding


DNS-based Detection of the Incidents andRelated Works

● Musashi, Matsuba, Sugitani, IPSJ-CSEC19(2002)/CSEC20(2003)http://www.cc.kumamoto-u.ac.jp/~musashi/200{2,3}p.html

● Rikitake, Nogawa, Tanaka, and Shimojo, IPSJ-CSS2003● Matsuba, Musashi, and Sugitani, IPSJ-DSM32(Japan) and ICETA2004 (Košice, Slovakia)

http://www.cc.kumamoto-u.ac.jp/~musashi/2004p.html● Kristoff, NANOG32, Reston, VA (2004) and Northwestern University

http://www.nanog.org/mtg-0410/kistoff.htmlhttp://aharp.ittns.northwestern.edu/talks/bots-dns.pdf

● Whyte, van Oorschot, Kranakis, Carleton Univ., Technical Reporthttp://www.scs.carleton.ca/research/tech_reports/2005/download/TR-05-06.pdf

● Ishibashi, Toyono, Toyama, Ishino, Ohshima, and Mizukoshi, ACM SIGCOMM workshop, 2005 http://www.acm.org/sigs/sigcomm/sigcomm2005/paper-IshToy.pdf● Schonewille and van Helmond, University of Amsterdam, SURFnet, 2006

http://staff.science.uva.nl/~delaat/snb-2005-2006/p12/report.pdf


Log Analysis of the DNS Query ContentsCapturing of DNS query packet by the optional configuration of the DNS server daemon

program like BIND: /etc/named.conf

Oct 12 08:38:24 kun named[533]: client 133.95.xxx.yyy#39815: query: 130.13.194.xxx.in-addr.arpa IN PTROct 12 08:38:25 kun named[533]: client 133.95.xxx.yyy#39825: query: dmea.net IN MXOct 12 08:38:43 kun named[533]: client 133.95.xxx.yyy#40010: query: mxwall03.hkabc.net IN A

Date h:m:s hostname named[PID]: client IP address#port: query: contents of DNS query packet and IN query type

The well-known three DNS query types are:A resource record (RR) type: a fully qualified domain name (FQDN) into the IP address(es)PTR RR type: an IP address into the FQDNMX RR type: a generic domain name into the FQDN of an E-mail server

diskDNS servers

/var/log/qlog/querylog

logging {channel qlog {

syslog local1; }; category queries { qlog; };

}

DNS clients Optional Configuration of BIND-9.2.6

A B

C

Intel Xeon 2.4GHz Dual CPU, 1GB main memory, Intel 100Mbps NIC, and80GB ATA 133 HDD

D The activities of the service attack worms are captured by the iplog-2.2.3 packet logger programpackage.


Detection Rate of the clients-based MX RR Query Access and Service Attack Worm-infected PC terminals

The client-based MX RR DNS traffic synchronizes in almost the same manner with the detection rate of the SAW-infected PCs the late days of August to the middle of December, 2005. After the late days of 2005, it is, however, very difficult to find out the IP addresses of the BW-infected PC terminals by only watching P2P propagation or client MX RR based DNS query traffic (Detection Evasion).

The SAW attack detection rate is defined as the packet traffic of the TCP session trial random IP access to the service ports of 135, 139, and/or 445 in the next victim PC terminals (P2P propagation).


Detection Strategies

(1) the source IP address (IPv4) based DNS query traffic from the bot worm (BW)-infected PC terminals in the campus network,

(2) the IPv6-source IP based DNS query traffic from the bot worm (BW)-infected PC terminals in the campus network, and

(3) the query contents based DNS query traffic from detection systems on the internet (the other sites) like IDS/IPS, spam filter, etc.

Statistical Analysis on:

IDS/IPS=Intrusion Detection/Prevention System



(1) the source IP address (IPv4) based DNS query traffic from the bot worm (BW)-infected PC terminals in the campus network,






DNS Query Traffic includes Worm Information

Traffic of the A resource record based DNS query packets to the top domain DNS server of the university was abnormally increased through the early days of January to the middle days of June, 2005.

Unknowns: 25th February, 7th and 12th April, 2005


Example DNS query traffic from the BW-infected PCs

● The PC client A is a top access client in 25th February, 2005Tot: 32,728/dayA: 32,727/dayPTR: 7/day

● The PC clients B and C are a top access client in 7th and 12th April, respectivelyClient B: Client C

Tot: 229,309/day 400,964/dayA: 229,265/day 400,964/dayPTR: 34/dayMX: 1/daySOA: 8/dayAAAA: 1/day




● The PC clients B and C are a top access client in 7th and 12th April, respectivelyClient B: Client C

Tot: 229,309/day 400,964/dayA: 229,265/day 400,964/dayPTR: 34/dayMX: 1/daySOA: 8/dayAAAA: 1/day


Abnormal Traffic of the A RR based DNS QueryPackets from the Client A

It took place at February 25th, 2005 12:00-17:30 (Filtered manually).


Statistics of the DNS Query Contents in the A RR based DNS query Traffic

We can see several significant keywords like “mx”, “ns”, “mail”, “smtp”, “gate”, and “relay” in the head words of query contents.


Correlation between Total Traffic and Traffic including Several Keywords

(1) This strong correlation is useful to detect the abnormal traffic of the A RR based DNS query packets (IP addresses of BW- or MMW-infected PC terminals ?). (2) The client A is an Windows PC terminal and we cannot find out any MX-record based DNS query packets from the PC terminal.


Detection- and Prevetion-System of Abnormal Traffic of the A record based DNS Query Packets from non-MX type BW-infected PC bots

polling=1 hour

cngrepCRONstart

ddosscan

exit

ddosscan

cngrep exit

Yes

No

KWL={keywords};ddosIP.A=an IPgiven by ddosscan;

ddosIP.A= KWL

DB of Keywords

return to ddosscan

print ddosIP

No

Yes

Get DNS query A record packets

print ddosIP

ddos IP DB

exit

polling=10 sec

pfd.plstart

pfdscan

sleep(polling)

pfdscan

ddosIP=IP List

IPfilter ddosIP

exit

Detection System Prevention System


Evaluation of the Detection and Prevention System: ADPS for non-MX type Mass Mailing Worm-infected PCs

Mytob.A (non client MX query type MMW or spam bot) were found but the peaks at April 7th and 12th are disappeared or decreased.




● The PC clients B and C are a top access client in 7th and 12th April, 2005, respectively

Client B: Client CTot: 229,309/day 400,964/dayA: 229,265/day 400,964/dayPTR: 34/dayMX: 1/daySOA: 8/dayAAAA: 1/day


The query contents of the DNS query access packets in the former four peaks, the IP address is directly included. Normally, only FQDN should be included in the contents of the A record based DNS query packets, howerver, the DNS query packets of the former peaks have IP addresses themselves as their contents. This feature is useful for detection of abnormal traffic of the A RR based DNS query packets.

Detection of Unusual Traffic of the A RR based DNS Query Traffic


The query contents of the DNS query access packets in the former four peaks, the IP address is directly included. Normally, only FQDN should be included in the contents of the A record based DNS query packets, howerver, the DNS query packets of the former peaks have IP addresses themselves as their contents. This feature is useful for detection of abnormal traffic of the A record based DNS query packets.

Detection of Unusual Traffic of the A RR based DNS Query Traffic


Detection- and Prevetion-System of Abnormal Traffic of the A RR based DNS Query Packets: ADPS for Direct IP

polling=10 sec

ddosip-Aadps.plstart

ascan

sleep(polling)

ascan

ddosip-A exit

Yes

No

ddosIP.A= IP address

return to ptrscan

print ddosIP

No

Yes

Get DNS query A record packets

print ddosIP

ddos IP DB

exit

Detection System

polling=10 sec

pfd.plstart

pfdscan

sleep(polling)

pfdscan

ddosIP=IP List

IPfilter ddosIP

exit

Prevention System


Evaluation of the Detection and Prevention System: ADPS for Direct IP address included A RR based DNS query packets



(1) the source IP address based DNS query traffic from the botworm (BW)-infected PC terminals in the campus network,






Total IPv6 based DNS query traffic

The total DNS query traffic from the IPv6-based DNS clients is mainly driven by that from the outside of the campus network.


A, PTR, and MX RRs based DNS Query Traffic (IPv6)

Several interesting peaks can be found: (i) April 20th, (ii) August 5th, (iii) August 30th, (iv) September 28th, (v) October 13th, and (vi) December 10th, 2005.


Abnormal A and PTR RRs based DNS Query Traffic

In April 20th, 2005, both IPv6 and IPv4 based DNS query traffics strike two peaks simultaneously.



*********.**.kumamoto-u.ac.jp

133.95.***.**

***.kumamoto-u.ac.jp

133.95.***.**

DNS query contents IPv6IPv4

230,729

216,798

180,298

152,548

1,345

265

999

377

In the query contents of the DNS query packets in the peak at April 20th, 2005, the most largest number of contents mainly consist of an FQDN of a local domain E-mail server, an FQDN of top domain DNS server (tDNS), and two IP addresses that related with PC terminals in the local domain, respectively. Since the E-mail server was pointed out as a spam-sender through the day of 20th April, 2005, the top DNS server are severely accessed by the spam-mail detection system/spam filter world-widely at the day.



- 40 -

IPv4 IPv6

The DNS query traffic from the outside the campus network correlates well with the IPv4- and IPv6 based DNS query traffics including four keywords.


Abnormal PTR RR based DNS Query Traffic

The abnormal DNS query traffic is observed in the short period of time through 15:09-15:19 at August 30th, 2005. In the traffic, the two top DNS clients are found and they belong to the same site. The traffic mainly consists of the PTR record based DNS query packets including internal IP addresses of the university. Probably, the DNS clients tried to scan the hosts in the university.



2001:1***:10**::2

2001:1***:10**::4

2001:2f8:14:**::64

3ffe:8200:0:10:250:****:fe00:****

3ffe:8200:0:10:250:****:fe00:****

DNS client IP address Top access clients

22,001

20,538

229

135

67



Statistics of the source IP address based Abnormal PTR RR typeDNS Query Traffic

2001:1***:10**::2

2001:1***:10**::4

2001:2f8:14:**::64

3ffe:8200:0:10:250:****:fe00:****

3ffe:8200:0:10:250:****:fe00:****

DNS client IP address Top access clients

22,001

20,538

229

135

67



Statistics for the DNS query contents of the Abnormal A RR basedDNS Query Traffic

In August 5th, 2005, we can observe that the A RR based DNS query traffic includes several typical keywords as in their query contents i.e. “mx”, “ns”, “mail”, “gate”, “smtp”, and “smtp” that were included in the A RR based DNS query traffic from the bot worm (BW) like a W32/Mytob.A BW.

Musashi, Y., etal., IPSJ SIG Technical Reports, DSM38 , Vol. 2005, No. 83, pp.23-28 (2005).


Several Keywords for Spam Bots in IPv6 based DNS Query Traffic

A B

In August 5th, September 28th, October 13th, and December 10th, 2005, we can observe that the A RR based DNS query traffic includes several typical keywords as in their query contents i.e. “mx”, “ns”, “mail”, “gate”, “smtp”, and “smtp” that transmitted by W32/Zotob variants-infected PCs.


Several Keywords for Spam Bots in IPv6 based DNS Query Traffic

C D

In August 5th, September 28th, October 13th, and December 10th, 2005, we can observe that the A RR based DNS query traffic includes several typical keywords as in their query contents i.e. “mx”, “ns”, “mail”, “gate”, “smtp”, and “smtp” that transmitted by W32/Zotob variants-infected PCs.



(1) the source IP address based DNS query traffic from the botworm (BW)-infected PC terminals in the campus network,






In the query contents of the DNS query packets in the latter peak, the most largest number of contents mainly consist of an FQDN of a subdomain E-mail server, an FQDN of top domain DNS server (tDNS), and two IP addresses that related with the subdomain, respectively. Since the E-mail server is claimed as a spam-sender through the the day of 20th April, 2005, the top DNS server are severely accessed by the spam-mail detection system/spam filter world-widely at the day.

DNS Resolution Reflection/Degree of Attention?

A

B*********.***.kumamoto-u.ac.jp 383669

***.kumamoto-u.ac.jp 288245133.95.***.** 125330133.95.***.** 85718

**.***.kumamoto-u.ac.jp 59921****.****.***.kumamoto-u.ac.jp 19211

****-******.****.***.kumamoto-u.ac.jp 16003*****.****.***.kumamoto-u.ac.jp 14659


In the query contents of the DNS query packets in the peak at 23rd August, 2005, the most largest number of contents mainly consist of several FQDNs and IP addresses that related with the local networks. This situation can be already observed in 20th April, 2005, and this feature shows that the query contents-based detection is useful for detection of the BW-infected PCs in the campus network, since infection of new W32/Zotob variants started aftert the middle days of August, 2005.

BW detection by watching the DNS traffic from the outside?

A

B

***.kumamoto-u.ac.jp 87448*****.***.kumamoto-u.ac.jp 28143

**.**.kumamoto-u.ac.jp 25139*******.****.kumamoto-u.ac.jp 21225

****.****.kumamoto-u.ac.jp 20645*****.***.kumamoto-u.ac.jp 18559

133.95.***.*** 17677133.95.***.** 15401。


DNS traffic from the outside of the Campus Network

It is of considerable importance to study more on the DNS traffic from the outside of the university.

(i)

(ii)

(iii)(iv)

(v) (vi)(vii)

(viii)(ix) (x)(xi)

(xii)(xiii)


Entropy

∑∈

−=Xi

iPiPXH )(log)()( 2 (1)

∑=

jjfreq

ifreqiP)(

)()( (2)


Entropy Analysis on the unique Source IP address andthe DNS query contents in the DNS traffic

Especially, the peaks (i)-(xiii) in the DNS query contents-based entropy curve synchronize in the previous traffic curve of DNS query packets from the outside of the campus network.


Prototype of Detection System


Estimation of Entropy and Detection Rate

Threshold=1000 (Candidate as Listed):False Positive = HighFalse Negative = Low

Threshold=5000 (Warning):False Positive = MediumFalse Negative = Medium

Threshold=10000 (Emergency or Critical):False Positive = LowFalse Negative = High


Conclusion and Future Work

We performed detailed statistical analysis on the traffic of the DNS query packets to the top domain DNS (tDNS) server in order to find out a detection method of the botworm (BW)-infected PC terminals.

We are just testing the hybridized detection method and developing the zero-day incident detection system.

(1) We can observe the source IP address based DNS query trafficfrom the BW-infected PC terminals, especially the A RR based DNS query traffic including several keywords.

(2) We should pay much attention on the IPv6 address based DNS query packets that can be used to evade a detection system.

(3) We can also observe the useful DNS query traffic from the outside of the campus network including information on the BW-infected PC terminals in the campus network.


Any Questions?

DNS-based Countermeasure Technologies for Spam … victim PC Hard Disk Drive. To converts FQDNs into...

Documents

Transcript of DNS-based Countermeasure Technologies for Spam … victim PC Hard Disk Drive. To converts FQDNs into...